Mobile Malware Analysis Part 3 – Pegasus

Application Detail

Name: Media Sync

Package: seC.dujmehn.qdtheyt

SHA-256 Hash: bd8cda80aaee3e4a17e9967a1c062ac5c8e4aefd7eaa3362f54044c2c94db52a

Introduction

Welcome back, malware enthusiasts, to the third chapter of our Mobile Malware Analysis saga! Today, we’re diving headfirst into the world of a Pegasus/Chryasor variant that’s about as unpredictable as a rollercoaster ride. Throughout this analysis, we will be uncovering sneaky obfuscation techniques, and embarking on a thrilling journey through a horde of malicious binaries.

So, without further ado, let’s get started!

Analysis

Let’s begin analyzing the sample using JADX to get an idea of what the Android malware is doing.

Android Manifest.xml

Permissions

				
					[..REDACTED..]
<uses-permission android:name="android.permission.FORCE_STOP_PACKAGES"/>
<uses-permission android:name="android.permission.ACCESS_CHECKIN_PROPERTIES"/>
<uses-permission android:name="android.permission.ACCESS_COARSE_LOCATION"/>
<uses-permission android:name="android.permission.ACCESS_FINE_LOCATION"/>
<uses-permission android:name="android.permission.ACCESS_LOCATION_EXTRA_COMMANDS"/>
<uses-permission android:name="android.permission.ACCESS_MOCK_LOCATION"/>
<uses-permission android:name="android.permission.ACCESS_NETWORK_STATE"/>
<uses-permission android:name="android.permission.ACCESS_SURFACE_FLINGER"/>
<uses-permission android:name="android.permission.ACCESS_WIFI_STATE"/>
<uses-permission android:name="android.permission.ACCOUNT_MANAGER"/>
<uses-permission android:name="android.permission.AUTHENTICATE_ACCOUNTS"/>
<uses-permission android:name="android.permission.BATTERY_STATS"/>
<uses-permission android:name="android.permission.BIND_APPWIDGET"/>
<uses-permission android:name="android.permission.BIND_DEVICE_ADMIN"/>
<uses-permission android:name="android.permission.BIND_INPUT_METHOD"/>
<uses-permission android:name="android.permission.BIND_REMOTEVIEWS"/>
<uses-permission android:name="android.permission.BIND_WALLPAPER"/>
<uses-permission android:name="android.permission.BLUETOOTH"/>
<uses-permission android:name="android.permission.BLUETOOTH_ADMIN"/>
<uses-permission android:name="android.permission.BRICK"/>
<uses-permission android:name="android.permission.BROADCAST_PACKAGE_REMOVED"/>
<uses-permission android:name="android.permission.BROADCAST_SMS"/>
<uses-permission android:name="android.permission.BROADCAST_STICKY"/>
<uses-permission android:name="android.permission.BROADCAST_WAP_PUSH"/>
[..REDACTED..]
				
			

We could see that the application is requesting for tons of permissions including dangerous permissions like android.permission.BRICK , android.permission.MOUNT_FORMAT_FILESYSTEMS , android.permission.DIAGNOSTIC and much more.

Components

				
					//AndroidManifest.xml

<activity android:label="@string/abc_fade_in" android:name="seC.dujmehn.qdtheyt.Dujmehnpqyd">
    <intent-filter>
          <action android:name="android.intent.action.MAIN"/>
    </intent-filter>
</activity>
<activity android:theme="@android:style/Theme.Black.NoTitleBar" android:name=".heeCJqf.IxemTuinjef" class="com.network.android.ShowDesktop"/>
<activity android:theme="@android:style/Theme.Black.NoTitleBar" android:name=".heeCJqf.RBqsnIshuud" class="com.network.android.BlackScreen"/>
<receiver android:name="seC.dujmehn.qdtheyt.ICiHusuyluh" android:enabled="true">
    <intent-filter android:priority="100">
        <action android:name="android.intent.action.DATA_SMS_RECEIVED"/>
        <data android:scheme="sms"/>
        <data android:host="localhost"/>
        <data android:port="0"/>
    </intent-filter>
</receiver>
<receiver android:name="seC.dujmehn.qdtheyt.qwudj.DujmehnHusuyluh" android:enabled="true">
    <intent-filter>
        [..REDACTED..]
    </intent-filter>
</receiver>
<receiver android:name=".heeCJqf.QkjeQdimuhHusuyluh" android:enabled="true">
    <intent-filter android:priority="100">
        <action android:name="android.intent.action.PHONE_STATE"/>
    </intent-filter>
</receiver>
<receiver android:name="seC.dujmehn.qdtheyt.QdtheytSqBBTyhusjMqjsxuh" android:enabled="true">
    <intent-filter android:priority="100">
        <action android:name="android.intent.action.PHONE_STATE"/>
    </intent-filter>
</receiver>
<receiver android:name="seC.dujmehn.qdtheyt.ReejHusuyluh" android:enabled="true">
    <intent-filter>
        <action android:name="android.intent.action.BOOT_COMPLETED"/>
    </intent-filter>
</receiver>
<receiver android:name="seC.dujmehn.Cutyq.SehuHusuyluh"/>
<receiver android:name="seC.dujmehn.Besqjyed.FydwHusuyluh"/>
<receiver android:name="seC.dujmehn.Besqjyed.EdQBqhCHusuyluh"/>
<service android:name="seC.dujmehn.qdtheyt.qdtheyt.Cedyjeh.QffIuhlysu"/>
<service android:name="seC.dujmehn.qdtheyt.qdtheyt.Cedyjeh.QffIuhlysuFydwuh"/>
<service android:name="seC.dujmehn.qdtheyt.qdtheyt.Cedyjeh.DujmehnpqdqwuhIuhlysu" android:enabled="true"/>
<service android:name=".heeCJqf.putyqFBqOuhXqdtBuhIuhlysu" android:enabled="true"/>
<service android:name="seC.dujmehn.kiit.STKIITIuhlysu" android:enabled="true" android:exported="true">
    <intent-filter>
        <action android:name="com.android.ussd.IExtendedNetworkService"/>
    </intent-filter>
</service>
				
			

There are so many components whose names are obfuscated (probably) ,but the most important thing to note is 90 % of these components are not present in the disk/apk .

Now, what does this statement Components not present in the apk mean?

Basically in this APK file, these component’s Smali / Java code arent included and are possibly loaded at Runtime using DexClassLoader, InMemoryDexClassLoader .

Components named EdQBqhCHusuyluh , FydwHusuyluh and SehuHusuyluh are the ones present in the apk.

If we also looked into the Resources section we could see the directory org/eclipse/paho/client/mqttv3 , popularly known as Paho Android Service which is famous for MQTT Client Library.

MQTT is the standard protocol used for communicating with an IoT/C2C Server via TCP/IP connection.

Also if we decompile the apk and look inside res/raw we could see binaries named addk , take_screen_shot , libk which we will be covering in the later sections.

Source Code Analysis

Let’s start our analysis from the Broadcast Receiver EdQBqhCHusuyluh

Tip: